Class: Conjur::Command::Bootstrap

Inherits:

Conjur::Command

Object
Conjur::Command
Conjur::Command::Bootstrap

show all

Defined in:: lib/conjur/command/bootstrap.rb

Overview

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Class Method Summary collapse

.security_admin_manager?(api) ⇒ Boolean

Determines whether the current logged-in user is sufficiently powerful to perform bootstrap.

Methods inherited from Conjur::Command

acting_as_option, annotate_option, api, command, command_impl_for_list, command_options_for_list, current_user, destination_role, display, display_members, give_away_resource, hide_docs, highline, integer?, interactive_option, method_missing, prompt_for_annotations, prompt_for_group, prompt_for_id, prompt_for_idnumber, prompt_for_password, prompt_for_public_key, prompt_to_confirm, read_till_eof, require_arg, retire_options, retire_resource, retire_role, validate_privileges, validate_public_key, validate_retire_privileges

Methods included from IdentifierManipulation

#conjur_account, #full_resource_id, #get_kind_and_id_from_args

Class Method Details

.security_admin_manager?(api) ⇒ `Boolean`

Determines whether the current logged-in user is sufficiently powerful to perform bootstrap. This is currently determined by detecting whether the logged-in role:

Is a user
Has admin privilege on the security_admin group role
Is an owner of the security_admin group resource

The admin user will always satisfy these conditions, unless they are revoked for some reason. Other users created by the bootstrap command will (typically) also have these powers.

Returns:

(Boolean)

# File 'lib/conjur/command/bootstrap.rb', line 51

def self.security_admin_manager? api
  username = api.username
  user = if username.index('/')
    nil
  else
    api.user(username)
  end
  security_admin = api.group("security_admin")
  memberships = user.role.memberships.map(&:roleid) if user
  
  if user
    if security_admin.exists?
      begin
        # The user has a role which is admin of the security_admin role
        # The user has the role which owns the security_admin resource
        security_admin.role.members.find{|m| memberships.member?(m.member.roleid) && m.admin_option} &&
          memberships.member?(security_admin.resource.ownerid)
      rescue RestClient::Forbidden
        false
      end
    else
      user.login == "admin"
    end
  else
    false
  end
end